[JAMES-3636] IMAP plainAuthDisallowed should be true by default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.6.0
Fix Version/s: 3.7.0
Component/s: IMAPServer
Labels:
None

Description

Encouraging non encrypted login is definitely a bad practice and could lead to session fixation (where the attacker logs in first then the victim do not realize it's login fails).

We should make the safe 'plainAuthDisallowed' option the default everywhere.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Benoit Tellier

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Aug/21 02:09

Updated:: 08/Sep/21 04:53

Resolved:: 08/Sep/21 04:53